Tech firms pledge to release products with built-in security features

CISA Director Jen Easterly talks "secure by design" at RSA Conference in San Francisco on May 8, 2024

CISA Director Jen Easterly talks "secure by design" at RSA Conference in San Francisco on May 8, 2024 david dimolfetta/staff

The Cybersecurity and Infrastructure Security Agency has been trying to get companies to agree to its "secure by design" paradigm for months.

SAN FRANCISCO — Nearly 70 tech and cybersecurity companies on Wednesday signed a U.S.-led pledge to bake default security features into their offerings, a move that Biden cyber officials have been pushing for months in an effort to shore up the baseline security of off-the-shelf tech products.

The secure by design pledge is led by the Cybersecurity and Infrastructure Security Agency. Signatory firms including Microsoft, IBM, Amazon Web Services, CrowdStrike and Palo Alto Networks made a commitment to manage vulnerability disclosure programs, track hackers’ attempts to breach their products and reduce default passwords used to log in to devices or applications during first-time setup, among other areas.

“I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box,” said CISA Director Jen Easterly in a statement leading up to a signing event at the RSA Conference in San Francisco.

News of the pledge signing at RSAC was first reported by WIRED. The signatories are promising to report on their efforts within a year of the signing, a directive that the agency believes will help hold them accountable.

CISA has been pushing secure product design since the agency's inception in 2018, and multiple high-profile cyber incidents impacting the public and private sectors over the past year have galvanized interest in the concept, which encourages companies to design their offerings with built-in security features that come pre-installed at point-of-sale.

These include a series of breaches into Ivanti VPN products that are widely used in the federal government, including CISA itself. More broadly, nation-state cyber operatives have been found burrowing into critical infrastructure, which often relies on third-party operational technology products that may be compromised at hackers’ point of entry.

Proponents of secure software standards have made comparisons akin to food or automobile safety laws, arguing that legal directives for software manufacturing would benefit all of society. Some software defects have existed for years but have not been entirely addressed.

Relatedly, the Biden administration is working to craft a legal framework that would direct the private sector to take steps to manufacture and release software that doesn’t contain exploitable flaws, a top White House cyber official said Monday.

Legal experts argue that the software market isn’t incentivizing secure development, with major manufacturers weaving clauses into contracts that make users to accept the software “as is” upon purchase and installation, which warrants customers to bear the entire risk of a product, including defects that could enable cyber exploitation.

Software liability is a major component of the Biden administration’s National Cyber Strategy, which outlines nearly 70 objectives aimed at shoring up U.S. cyber posture. A new implementation plan update for the strategy was unveiled at RSAC this week, which calls to leverage “all instruments of national power” to make it harder for hackers to threaten national security or public safety.